web-tools-guide
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a web-tool guide, but its setup path can install unverified browser-extension code and restart or alter local browser and gateway processes, so it should be reviewed before use.
Before installing, review the opencli setup script and the browser extension source or checksum. Do not run the setup unless you are comfortable with it installing a global npm package, loading a persistent browser extension, and restarting Chrome. If configuring search, provide only the intended API key and prefer the scoped gateway restart command rather than broad process-kill fallbacks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup could install code that affects the local browser and web sessions, and the reviewed artifacts do not let the user verify exactly what the browser extension will do.
The installer pulls a global npm package and a browser extension from remote release channels without a pinned version, checksum, or included extension source for review.
npm install -g @jackwener/opencli ... ${GITHUB_RELEASE_BASE}/latest/download/opencli-extension.zipPin exact package and extension versions, publish checksums or signatures, and include or link to the reviewed extension manifest/source before asking the agent to install it.
The setup can relaunch the user's browser with changed arguments and may behave unexpectedly if the original command line contains unusual shell-sensitive content.
The script reconstructs the existing Chrome command line and executes it through a shell while adding extension-loading flags.
local new_cmdline="${clean_cmdline} --disable-extensions-except=${ext_dir} --load-extension=${ext_dir}" ... nohup bash -c "exec ${new_cmdline}"Avoid re-executing reconstructed command lines through `bash -c`; use an argument array or a controlled launch command, and ask for explicit user approval before relaunching the browser.
A broad process kill could interrupt unrelated gateway services or the agent environment, causing failures outside the original search task.
The documented fallback for applying API-key configuration can kill any process matching a broad 'gateway' pattern, not just this skill's own service.
pkill -f "openclaw-gateway" || pkill -f "gateway"
Prefer a scoped `openclaw restart gateway` command, verify the target process before killing it, and avoid broad `pkill -f gateway` instructions.
The skill may persist a provider API key in local agent configuration so web_search can work.
The skill asks users for Tavily or Kimi API keys and saves them into OpenClaw configuration after confirmation.
openclaw config set plugins.entries.tavily.config.webSearch.apiKey <user-provided-key>
Only provide a key you intend OpenClaw to store, confirm the provider and scope, and know how to rotate or remove the key later.
If the user asks for account actions, the agent may be able to post, follow, block, or like content through supported sites.
The opencli tool can perform public/account-mutating actions, but the guide explicitly requires notice and confirmation before such actions.
部分命令支持写操作(发帖、关注、点赞等),执行前必须告知用户并获取确认
Keep the confirmation requirement, show the exact action and content before execution, and avoid using write-capable commands unless the user explicitly requests them.